July 5, 2012

Malicious computer code that leverages a newly-patched security flaw in Oracle’s Java software is set to be deployed later this week to cybercriminal operations powered by the BlackHole exploit pack. The addition of a new weapon to this malware arsenal will almost certainly lead to a spike in compromised PCs, as more than 3 billion devices run Java and many of these installations are months out of date.

I first learned about the new exploit from a KrebsOnSecurity reader named Dean who works in incident response for a financial firm. Dean was trying to trace the source of an infected computer in his network; he discovered the culprit appeared to be a malicious “.jar” file. A scan of the jar file at Virustotal.com showed that it was detected by just one antivirus product (Avira), which flagged it as “Java/Dldr.Lamar.BD”. The description of that threat says it targets a Javas vulnerability tagged as CVE-2012-1723, a critical bug fixed in Java 6 Update 33 and Java 7 Update 5.

The attack may be related to an exploit published for CVE-2012-1723 in mid-June by Michael ‘mihi’ Schierl. But according to the current vendor of the BlackHole exploit pack, the exact exploit for this vulnerability has only been shared and used privately to date. Reached via instant message, the BlackHole author said the new Java attack will be rolled into a software update to be made available on July 8 to all paying and licensed users of BlackHole.

Regardless of which operating system you use, if you have Java installed, I would advise you to update it, neuter it or remove it as soon as possible. The reason I say this is that Java requires constant patching, and it appears to be the favorite target of attackers these days.

Windows users can find out if they have Java installed and which version by visiting java.com and clicking the “Do I have Java? link. Mac users can use the Software Update feature to check for any available Java updates.

If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I  would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox (from the Add-ons menu, click Plugins and then disable anything Java related, and restart the browser), and then using an alternative browser (ChromeIE9Safari, etc.) with Java enabled to browse only the site that requires it.

Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the software framework when users access webpages that use it. The latest iteration of Java for OS X configures the Java browser plugin and Java Web Start to be deactivated if they remain unused for 35 days.

44 thoughts on “New Java Exploit to Debut in BlackHole Exploit Kits

      1. Brian Krebs

        It’s not exactly auto-update. It will automagically check once a week and alert you of any updates. I believe the user still has to allow the installation.

        1. Steve

          At least on Windows, you can set the frequency of update checks to as often as once a day. Click the Advanced button in the Updates tab of the Java Control Panel.

      2. Jason

        Incorrect. Java will check for updates automatically but it won’t install them. The user has to kick off the installation manually.

        1. satrow

          If it auto-push installed, corporate users would be up in arms.

          Use the auto-check function offered during install and watch for the Java icon in the tray that signifies an update.

          Or uninstall it, many home users won’t miss it and IE surfing will be safer.

          1. Jason

            “IE surfing will be safer?”

            no, just no. Please don’t tell people to turn java off then point them to IE

            1. satrow

              You can’t “turn Java off” in IE. That’s why uninstalling Java is safer for users of IE.

              1. mechBgon

                Yes, you can disable Java in IE. On a per-Zone basis, in fact. If you have a few sites that need Java, forcing you to have it installed, then add those sites to the Trusted Sites zone and leave Java enabled there, then disable it in the Internet Zone.

                This setting is in Internet Options on the Security tab. Select the Zone you want to change, then click Custom Level and scroll down to nearly the bottom, where you can set scripting of Java applets to the desired setting.

                I’d certainly rather be rid of Java entirely, but if you’ve got some non-negotiable needs for it, there’s your workaround. I’d also suggest using Microsoft EMET and manually adding Java.exe and all browsers, media players, PDF readers, office software, email clients, IM clients, and other predictable exploit targets to EMET’s protected-apps list.

      3. mihi

        Usually Java updates are every 4 months (3 times a year, Feb, Jun, Oct), not every 3 months.

  1. nonegiven

    Is there a way to disable Java in Chrome?

    1. Lee

      I use an extension called “ScriptNo” which acts like “NoScript” for Firefox but is better IMO.

      1. nonegiven

        I thought Java isn’t Javascript and they are 2 entirely different things.

        1. BrianKrebs Post author

          That’s correct. Java and Javascript are two very different things. But, Noscript (and perhaps other script blocking addons) blocks Java applets by default.

            1. Kbarb

              So just so I get this straight, I get the distinction, but which is being abused more – Java, or JavaScript – or both equally ?

              For controls, in Firefox I see :

              Options>>Content : Enable JavaScript

              Tools>>Addons>>Plugins :
              >>>Java Deployment Toolkit
              >>>Java Platform SE 7

              (What is the purpose of “Java Deployment Toolkit ” btw.)

              I was under the impression that just about every site I visit regularly is employing some kind of JavaScript, so I’ve always left it enabled, despite the security risk.
              It can be a real pain when something doesn’t seem to work correctly, and you have no clear idea why without spending a lot of time tracking it down.

              Anyway, curious about the relative risks of Java vs JavaScript.

      2. bruce

        “scriptno” comes up under a google search in firefox but not in chrome ????

  2. Hans

    Mr Krebs, Chrome now also has the ability to disable Java and use it only when required…

  3. CJ Flynn


    It seems that you are right and wrong (or misleading) concerning Apple.

    Java is not turned on automatically anymore, and it does turn off Java if unused for a while (I have no way to confirm 35 days, but it does turn off.)

    On the other hand, as recently as 12 June 2012 there is a Java update for 10.6 users. See: Java for Mac OS X 10.6 Update 9

    For 10.7 users, somehow I am up to date with 1.6.0_33 but my 1.7.0 is only at 04. When I go to the Java page Free Java Download: Download Java for your desktop computer now! Version 7 Update 5 it takes me to a page:
    Java for Apple which says that “Apple supplies their own version of Java. Use Software Update feature available on the Apple menu…

    It may be that Version 7 is not running on Mac OS at all, but that I have it because I have a developers release? Need more data…

  4. CJ Flynn

    Update: 1
    When I run How do I test whether Java is working on my computer? it says that I am running Version Java SE 6 Update 33, even though the Version 7 is on the top of the list in my Java Preferences.

    This page also says:
    Mac Users: Choose the Software Update item on the Apple menu to check that you have the most up-to-date version of Java on your Mac.

      1. CJ Flynn

        Hmmm…on re-reading what you wrote, and restricting it to Version 10.7 (Lion) as you did, and restricting to Apple not bundling Java in OS 10.7.x, it may be that you are completely right and not misleading.

        Without uninstalling Java on my 10.7.4 mac, I can’t be completely certain.

        But if I turn off all my Java versions, then go to the Java test page, there is no recommendation from Apple on what to do “for downloading and installing the software framework”. There is just a note on the Java page for Mac users to use Software Update to “check that you have the most up-to-date version…”

        Also, if I open a page in LibreOffice and try something from the menus that needs Java, it gives a libreoffice error, but nothing from Apple on what to do.

        And, like I said above, Java’s update page doesn’t have a Mac iteration to download, and also refers me to the Mac Software Update. Software Update doesn’t suggest that I download Java, but I have only turned it off, not uninstalled.

        My point is that – at best – I don’t think that Apple and Oracle have this all worked out yet for Lion users and that there are still a lot of 10.6 and 10.5 users who are still reliant on Apple for their Java updates.

  5. Yaya

    In addition to turning off Java in the browser, I also have Flash set to require me to click it to run it. A lot of flash exploits run in hidden iframes. This is only a little annoying as I have to click the youtube frame to make it run, but honestly, not having flash-based ads blaring audio when you hit a page is a huge plus as well.


    1. TJ

      The Opera browser has a simple solution to these plug-in issues. In preferences , just select “Enable plug-ins only on demand.”

      On YouTube, for example, you just get a big “play” symbol in the middle of the frame.

  6. Jeff

    So if we have the latest version of Java (1.6.0_33) on our Windows Operating System, using a Firefox browser are we safe or do we need to take additional steps like removing the older versions of java from the system all together, I don’t’ get it?

    1. Rabid Howler Monkey

      Regarding the ComputerWorld article, this is a very good link. Two notes, though: 1) the author was unable to disable Java in Internet Explorer 9, and 2) the author was able to disable Java in Internet Explorer 8 only *AS THE ADMINISTRATOR*.

      Nobody runs as the default user in Windows anymore, right? As a technical solution to malware, least privilege beats everything else (just note that it doesn’t always work). Create a restricted user account and use it for day-to-day computing in Windows. Use the default account only to administer the PC (e.g., configuration, install/uninstall software).

      1. Dean

        I’d have to disagree with Least Privilege beating everything else, it certainly helps the clean up as the Malware is contained within the user’s profile, so a new profile effectively cleans the infection.

        I work in an environment where at least 90% of the workstations are running with only user privileges but they still get infected.

        The more savvy malware authors long ago made their code “portable” so it doesn’t require administrator privileges to install, if you write to the user’s profile and Current User registry keys and hook into user owned processes then it still works and they get maximum coverage.

        As far as Drivebys go Least Privilege and Patching are equally important and if you have the luxury, Firefox with Adblocker Plus and NoScript, means that Drive by infections are a thing of the past.

        Unfortunately none of this is easy for the average user and for some it’s a hassle and nowhere near as important as updating their Facebook status.


        1. Brian Krebs

          I’d have to agree with Dean. Most of the threats out there today work just fine on limited account. Granted, the damage may be limited somewhat by infecting an admin account vs. a user account, but if the malware is able to hijack browser sessions, steal passwords and the like, it really doesn’t matter.

          It certainly is a good idea to adopt least user privileges on all operating systems. But on the Windows space, in the face of modern malware, the benefits of running under limited account are hardly the same as in years prior.

          1. Tom

            I can verify that the LUP approach is no longer a guarantee of no troubles–this one snagged me yesterday and it took a couple of hours to fix :-\

            I serve as a low-level tech resource for a number of computer un-savvy friends and am getting very pessimistic about the prospects of keeping them out of trouble given things like this.

          2. Rabid Howler Monkey

            Brian Krebs wrote:
            “Granted, the damage may be limited somewhat by infecting an admin account vs. a user account, but if the malware is able to hijack browser sessions, steal passwords and the like, it really doesn’t matter.

            Here’s why I believe it does matter. One recommendation I have made at this site previously and elsewhere is that one should not conduct sensitive online activities (e.g., online banking, securities trading, portfolio management) in their day-to-day restricted user account. Instead, create another restricted user account dedicated to these sensitive online activities. If the day-to-day user account gets owned, it is compartmentalized from the user account used for sensitive activities and one’s passwords, accounts and financial assets are likely to be safe.

            Of course, all bets are off if the user installs software (e.g., codecs) containing an MBR exploit, as an example, from an inappropriate site. However, more cautious users adhering to your three rules are more likely to avoid this situation.

            P.S. I am not referring to commercial enterprises where your advice is to use either a dedicated PC or a Linux LiveCD for online banking. I am referring, primarily, to consumers that choose to use their Windows, OS X or desktop Linux PC for these activities.

        2. Rabid Howler Monkey

          Agree than least privilege is not always effective. Thus, my disclaimer in parentheses, “just note that it doesn’t always work”. A high-profile example of malware that operates in a restricted user account is the Zeus banking trojan. However, MBR-infecting malware, mebroot as an example, will have a difficult time getting to the MBR from a restricted account, especially if the user doesn’t have the Admin credentials to type in when prompted.

          As far as enterprise users go, I would be tempted to add various Internet Explorer group policy restrictions along with Software Restriction Policy whitelisting (via gpedit.msc, for both executables and dll’s) or AppLocker for Windows 7.

          I agree that it’s hard for home users as most are also the local Admins What to do? In addition to restricted accounts, I usually recommend using Windows Vista/7 built-in Parental Controls to implement application control for each standard user account on the system. What I refer to as Software Restriction Policy “lite”, as dll protection is not provided.

          Windows XP Home? I recommend using the Chrome web browser in lieu of Internet Explorer as it is the only browser that is sandboxed on Windows XP. And Windows XP Pro? Again, I recommend using gpedit.msc to implement Software Restriction Policy whitelisting *along with* using the Chrome browser.

          Anyhow, these items, other than installing and using the Chrome browser, are not easy for the average user. Their advantage is that they, along with the ability to create restricted accounts, are provided by the Windows operating system. Thus, no 3rd party security software to learn and manage.

  7. Hans

    I use Chrome and there use to be a box that would pop up, axing whether or not you wish to use Java…

    Now it does not appear anymore and when I go to disable the pugin under settings there is no “under the hood” options!!

  8. Garry K

    One problem with Java is that when it gets updated it sometimes breaks functionality with some management consoles (like Symantec Endpoint Protection). So I can’t just update it, lest I not be able to easily control my anti-virus clients. The solution would be for companies (like Symantec) to NOT use Java for their software!

    But I’m not holding my breath.

    1. Dean

      If we talk about only “Drive By” infections then by far the best solution to me is Firefox with NoScript.

      NoScript will stop the drive by exploits as scripts will not run unless white-listed.

      The basic attack method is Compromised Site —> Exploit Server —> Exploit downloaded & executed —> Malware downloaded and executed.

      But because scripts will not run unless they’ve been allowed to run with NoScript, you should never find yourself at the receiving end of a bunch of exploits & Malware, even on an unpatched machine (This is no reason not to patch though!)

      Even if the initial compromised site has been white-listed, you will run the malicious script but when you land at the next step scripts will not run again unless they are also white-listed which is extremely unlikely.

      The Java VM is sandboxed but the numerous exploits allow the code to break out of it and execute malicious code within the operating system.

      The downside? NoScript is a little complex for the average user as thing like YouTube require not only YouTube.com but also the content server for videos to play.

      Oh and Firefox is seen as out of fashion now since Chrome but I still recommend it due it’s far superior plugin framework.


  9. Abrinum

    if we can not change the version of the JRE due to specific applications, can we limit its privileges by setting Java.policy file?

    1. Rabid Howler Monkey

      As far as I know, none of the web browsers sandbox the java plug-in on any operating system. As for limiting the java plug-in privileges, one can use built-in Windows integrity levels on Windows Vista/7. However, as implemented for Internet Explorer by Microsoft, the java plug-in does not run at low integrity level. Instead, it runs at medium integrity level.

      I have created a DIY sandbox on Windows Visa/7 for Firefox (and Opera) using Windows integrity levels that does run the java plug-in at low integrity level. To create a DIY sandbox for Firefox on Windows Vista/7, copy the following commands and paste them into Notepad:

      cd “C:\Program Files\Mozilla Firefox”
      icacls firefox.exe /setintegritylevel low
      cd C:\Users\USERNAME\AppData\Local
      icacls Mozilla /setintegritylevel (OI)(CI)low
      icacls Temp /setintegritylevel (OI)(CI)low
      cd C:\Users\USERNAME\AppData\Roaming
      icacls Mozilla /setintegritylevel (OI)(CI)low
      cd C:\Users\USERNAME
      mkdir Downloads
      icacls Downloads /setintegritylevel (OI)(CI)low

      Change USERNAME to your user name. Also, note that all files must be downloaded to folder C:\Users\USERNAME\Downloads (you can make this anything you want, but it must be a low integrity level folder). Save and name the file something like ‘SandboxFirefox.bat’ (the .bat extension is important). Then run the BAT file in either the Vista or 7 command prompt (cmd.exe) as the Administrator by typing in ‘SandboxFirefox.bat’ and pressing the ‘Enter’ key.

      Firefox now runs as a low integrity level process. In addition, the Java plug-in runs as a Firefox child process that is also low integrity level. Verify it by downloading and running Sysinternal’s Process Explorer and adding ‘integrity levels’ to the displayed columns. One drawback is that one can no longer apply updates to Firefox as the updater won’t work at low integrity level (there is no privilege broker). Instead, one must download updated Firefox versions from mozilla.com, install updated Firefox on top of the existing version and rerun the BAT file.

    2. Rabid Howler Monkey

      Another alternative (perhaps better than the above DIV approach above) is to download and install a 3rd party sandbox application for Windows. Examples include Trustware BufferZone Pro (free) and SandboxIE (both free and paid versions):



      One would then run their browser in the 3rd party sandbox and browser plug-ins like Java will also be sandboxed.

  10. Hans

    I just installed NO SCRIPT and it blocks Java…

    You can run a test by going to smart money and enter a stock ticker
    KOG, which is Kodiak Oil & Gas…

    Then click the chart option and if it loads, Java is not blocked..

    If it is blocked, you will see a icon in the upper left of the chart box…

    As I said before, it appears Chromey took that option away…

Comments are closed.